Assign a security team
We do not recommend configuring security groups on existing networks, as this can cause load balancer failures and disrupt cloud database replication. To avoid failures and data loss, to configure groups, create a new private network or public subnet and enable port security on it.:::
Port security must be enabled on the network. If filtering is enabled on the network, a default security group named default
is assigned to the port when it is created . You can also specify a different security group when creating a port or server, and it will be assigned instead of the default group.
You can assign a security group:
- to a port — when you create a port or to an existing cloud server port;
- to the server — when the server is created.
In the control panel, you can only assign a group to an existing port.
Assign a security group when creating a port
OpenStack CLI
-
Create a port with a security group:
openstack port create \
--network <network> \
--fixed-ip subnet=<subnet>,ip-address=<port_ip_address> \
--security-group <security_group> \
<port_name>Specify:
<network>
— The ID or name of the network can be viewed with the commandopenstack network list
. For a public subnet it is the same as the parameter<subnet>
;<subnet>
— The ID or subnet name can be viewed with the commandopenstack subnet list
;<port_ip_address>
— The IP address of the port;<security_group>
— The ID or name of the security group can be viewed with the commandopenstack security group list
;<port_name>
— port name.
-
Add a port to the server:
openstack server add port <server> <port>
Specify:
<server>
— The ID or name of the cloud server can be viewed with the commandopenstack server list
;<port>
— The ID or name of the port you created in step 2 can be viewed with the commandopenstack port list
.
Assign a group to an existing cloud server port
Once a group is assigned on a port, all active sessions that do not conform to the group rules will be terminated.
Private subnet, global router subnet
Public subnet
Control panel
OpenStack CLI
-
In the Control panel, on the top menu, click Products and select Cloud Servers.
-
Open the server page → Ports tab.
-
In the port card, in the Security Groups field, click .
-
In the Security Groups field, check the groups you want to assign to the port, or click New Security Group and create a group.
-
Click Save.
-
Assign a security group to the port:
openstack port set \
--security-group <security_group> \
<port>Specify:
<security_group>
— The ID or name of the security group can be viewed with the commandopenstack security group list
;<port>
— The port ID or name can be viewed with the commandopenstack port list
.
Control panel
OpenStack CLI
-
In the Control panel, on the top menu, click Products and select Cloud Servers.
-
Open the server page → Ports tab.
-
On the port line, in the Security Groups field, click .
-
In the Security Groups field, check the groups you want to assign to the port, or click New Security Group and create a group.
-
Click Save.
-
Assign a security group to the port:
openstack port set \
--security-group <security_group> \
<port>Specify:
<security_group>
— The ID or name of the security group can be viewed with the commandopenstack security group list
;<port>
— The port ID or name can be viewed with the commandopenstack port list
.
Assign a group when creating a server
The group will only be assigned to ports that are created with the server.
OpenStack CLI
-
Create a cloud server on the subnet by specifying a security group:
openstack server create \
[--image <image> | --volume <volume> | --snapshot <snapshot>] \
--flavor <flavor> \
--availability-zone <pool_segment> \
--nic net-id=<net_uuid> \
--security-group <security_group> \
--key-name <key_name> \
<server_name>Specify:
-
source type:
--image <image>
— to create a server from off-the-shelf or custom image. Parameter<image>
— ID or image name, can be viewed with the commandopenstack image list
;--volume <volume>
— to create a server from network disk. Parameter<volume>
— ID or disk name, can be viewed with the commandopenstack volume list
;--snapshot <snapshot>
— to create a server from snapshot. Parameter<snapshot>
— ID or name of the snapshot, can be viewed with the commandopenstack snapshot list
;
-
<flavor>
— The ID or name of the flavor. The flavors correspond to cloud server configurations and determine the number of vCPUs, RAM, and local disk size (optional) of the server. You can use fixed configuration flavors or create a flavor. For example,4011
— ID to create a Memory Line fixed configuration server with 2 vCPUs, 16 GB RAM in a ru-9 pool. You can view the list of flavors using the commandopenstack flavor list
or in the table List of fixed configuration flavors in all pools; -
<pool_segment>
— pool segment in which the cloud server will be created, e.g.ru-9a
. The list of available pool segments can be found in the instructions. Availability matrices; -
<net_uuid>
— The ID of the private or public network to which the server will be connected can be viewed with the commandopenstack network list
; -
<key_name>
— name of the service user's SSH key pair. If SSH keys have not been created, generate them. The list can be viewed with the commandopenstack keypair list
; -
<security_group>
— The ID or name of the security group can be viewed with the commandopenstack security group list
; -
optional:
--block-device-mapping vdb=<extra_volume>
— to add an additional disk. Parameter<extra_volume>
— ID or name of the extra disk, can be viewed using theopenstack volume list
command; -
optional:
--tag <tag_name> --os-compute-api-version 2.52
— tag to add additional information about the server. Parameter<tag_name>
— tag name; -
optional:
--tag preemptible --os-compute-api-version 2.72
— tag to create an interruptible server; -
optional:
--user-data <user_data.file>
— to specify the script to be executed at the first boot of the operating system. Parameter<user_data.file>
— path to the script in Base64 encoding. Examples of scripts can be found in the User data instruction; -
<server_name>
— server name.
-